Applying ACL to vty in IOS-XR

Unanswered Question
May 12th, 2011


I am trying to apply acl:s to vty on a ASR9k router.

I am doing the following, and this works...

ipv4 access-list VTY-ACL
 10 permit ipv4 any
 20 deny   ipv4 any any log
ipv6 access-list VTY-ACL
 10 permit ipv6 2001:DB8::/32 any
 20 deny   ipv6 any any log
vty-pool default 0 10
line default
 access-class ingress VTY-ACL

The ssh tcp port is still open from any host though. I am not beeing able to log in from other host but the ones specified in the acl:s, but it is possible to portscan tcp 22 from anyhost.

Any suggestions? When applying ACL directly on mgmt interface the port gets blocked.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Bryan Garland Fri, 06/03/2011 - 11:04


This is not the preferred way to do this for the exact reasons you describe.  The better way to do this is via MPP, management plane protection.  This allows us to program the hardware via LPTS to drop unwanted requests in hardware instead of having to have software deal with it.



Alexander Thuijs Mon, 12/08/2014 - 09:01

You can Joseph, but it there are better options.

This is how to apply the access-class a-la ios :

line default
 access-class ingress MYACL

the line template default needs to be associated with your VTY pool or SSH pool right like this:

vty-pool default 0 4 line-template default

and of course telnet daemon needs to run:

telnet vrf default ipv4 server max-servers 4

The reason why this is not preferred is because all the traffic received for us-telnet uis processed by the hardware on teh LC and sent to the RP. then goes through all the forwarding chain until telnet verifies it agaisnt the ACL and says ok deny.

Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.

Google asr9000 local packet transport services to find a good write up on LPTS and more details about the management plane protection MPP.





joseph hatem Thu, 12/11/2014 - 06:53

thank you xander for you reply.


i wanted to know if we can do the same on asr5000 and not asr 9000.


Please can you advise on this point ?



Alexander Thuijs Thu, 12/11/2014 - 07:14

I don't know the asr5000 well enough to comment on that Joseph...

I have forwarded this discussion to their support group to see if they can comment and add their expertise.




This Discussion

Related Content